Security and emergency strategy
-
I am currently contemplating about a good security and emergency strategy and maybe others here have thought about this too, so maybe someone has some deeper thoughts about this:
I am currently running two cloudron instances, "private" and "business". Only I have access to "business" but it gives me the opportunity to split apps between two instances in case one fails.
However, I am generally willing and interested to host both passwords via vaultwarden and also 2-factor-authentication on Cloudron, possibly on separate instances. However, I need to secure my vaultwarden instance with 2FA, obviously.
Now I am thinking, let's say worst case, both my laptop and my mobile phone get stolen. How do I get access now to my server and my data, considering that I cannot get access to my passwords or to confirm 2FA on a separate device?
Probably I need some sort of lifeline, but I am not really sure how this would look like, considering both security and practicability.
-
I’m logged into Bitwarden at work and keep Bitwarden backups (via bitwarden-cli) there as well (password protected).
-
I use a Yubikey to secure my VW. I had trouble logging in on a new device this week and thought it was Yubikey related, turned out to be date/time issue on the local machine. VW backups up to an encrypted S3 bucket (at Backblaze). It's recommended to have at least two Yubikeys (one active, one backup). The only con is the initial investment cost as they're a bit pricey. I got mine during a Cloudflare promo.
-
Vaultwarden/Bitwarden actually has a few mechanisms for that.
For the second factor you will get a "recovery code" that they ask you to store in a secure location. This is a letter and numbers string that can be used to override all configured second factors.
If you have lost your master password, or you're simply no longer around to give it to someone else then Vaultwarden has a feature called "emergency access" where you can designate another user to gain access to your safe after a configurable wait time (so you could still object and prevent misuse). https://bitwarden.com/help/emergency-access/
For me personally I have added my wife as my emergency contact, but since I know that she is not really a technical minded person I also have a backup yubikey at a secure location that has my master password stored as a static key and the above recovery key written down next to it.
